Latest OMB guidance signals significant supply chain security demands on the horizon for software acquisitions

In a recent memorandum issued pursuant to Executive Order 14028, the White House announced challenging new requirements regarding software supply chain security for federal agencies and government contractors. To help ensure protection against cybersecurity threats, government contractors will be required to do the following depending on the criticality of the acquisition and software at hand:

• Submit a standard self-attestation form following guidance from the National Institute of Standards and Technology (NIST)
• Identify practices that cannot be attested with a Plan of Action & Milestones (POA&M)
• Ensure that software is developed in line with two documents published by the NIST:
  o   “Secure Software Development Framework” (SSDF)
  o   “Software Supply Chain Security Guidance”

How will these changes to software procurements impact your business, your systems and your government contracts?

Baker Tilly is here to help. We offer a full suite of supply chain risk management (SCRM) services to help you establish an effective third-party risk management structure and keep pace with the government’s emerging needs—including Executive Order 14028, “Improving the Nation’s Cybersecurity.”

Our most recent Software Bill of Materials (SBOM) Guide has been updated to reflect these changes and prepare you for any subsequent guidance.